From dc9740df61e575e8c3148b7bd3c147a81ea00c7c Mon Sep 17 00:00:00 2001

From: Lasse Collin <lasse.collin@tukaani.org>

Date: Mon, 4 Apr 2022 23:52:49 -0700

Subject: zgrep: avoid exploit via multi-newline file names

* zgrep.in: The issue with the old code is that with multiple

newlines, the N-command will read the second line of input,

then the s-commands will be skipped because it's not the end

of the file yet, then a new sed cycle starts and the pattern

space is printed and emptied. So only the last line or two get

escaped. This patch makes sed read all lines into the pattern

space and then do the escaping.

This vulnerability was discovered by:

cleemy desu wayo working with Trend Micro Zero Day Initiative

---

 zgrep.in | 10 +++++++---

 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/zgrep.in b/zgrep.in

index 345dae3..bdf7da2 100644

--- a/zgrep.in

+++ b/zgrep.in

@@ -222,9 +222,13 @@ do

 '* | *'&'* | *'\'* | *'|'*)

         i=$(printf '%s\n' "$i" |

             sed '

-              $!N

-              $s/[&\|]/\\&/g

-              $s/\n/\\n/g

+              :start

+              $!{

+                N

+                b start

+              }

+              s/[&\|]/\\&/g

+              s/\n/\\n/g

             ');;

       esac

       sed_script="s|^|$i:|"

-- 

cgit v1.1